Thursday, December 1, 2005

OpenAFS for Windows 1.4.1 RC2 and MIT Kerberos for Windows 3.0 Beta 2

Yesterday was a busy day. OpenAFS for Windows version 1.4.1 RC2 has been announced as well as MIT Kerberos for Windows beta 2.

The OpenAFS release can be downloaded from

The MIT Kerberos release can be downloaded from

MIT Kerberos for Windows 3.0 marks a turning point in the products history. For the first time, KFW will allow, through the use of the new Network Identity Manager, the ability to manage multiple Kerberos 5 identities at once. The NetIdMgr is based on the Khimaira Identity Management Framework which was described in a talk at the 2005 AFS & Kerberos Best Practices Conference at CMU. A copy of the presentation can be found at:

The Khimaira framework enables the concepts of "identity" and "credentials" to be managed separately. In the modules shipped with MIT KFW 3.0, a single Kerberos 5 identity manager is included that allows users to maintain identities based upon Kerberos 5 principal names represented by Kerberos 5 Ticket Granting Tickets. Credential Managers are then provided to manage policy and perform intial credential acquisition and renewals for each specific credential type. In KFW 3.0, two Credential Managers are provided, one for Kerberos 5 and one for Kerberos 4. The Kerberos 5 Credential Manager maintains policy such as whether or not TGTs obtained should be forwardable, renewable, with what lifetimes, and whether or not they should be renewed before expiration. The Kerberos 4 credential manager receives notifications whenever a Kerberos 5 TGT is obtained and based upon its policy determines whether or not to generate a Kerberos 4 TGT via krb524d.

Secure Endpoints is providing an AFS Credential Manager that can be used to obtain tokens for an arbitrary number of cells in response to a Kerberos 5 identity being updated with a new TGT.
It is hoped that other organizations will take advantage of this new framework to add support for automated X.509 Certificate Acquisition.

No comments: